Restricting users to AD domain computers

Phil Mayers p.mayers at
Thu Oct 11 12:45:05 CEST 2012

On 11/10/12 11:03, Bryce Mackintosh wrote:
> Hi,
> I'm currently using FreeRadius to control access to our wifi network
> with PEAP-TLS, and authenticating users against their AD accounts. I now
> need to somehow additionally restrict the users wifi access to only the
> machines that are joined to the Windows domain, and not phones, ipads,
> etc, and do this in a reasonably secure fashion.

Can you be more specific here?

Do you want to authenticate *first* the computer and *then* the user via 
802.1x? If so, that could be tricky - Windows doesn't support >1 auth 
inside the PEAP tunnel.

> There are a couple of hundred laptops involved, so I'd like to avoid
> having to do much in the way of client-side configuration, but I suspect
> that client certificates may be the only answer.

How do you think they may be "the answer"? IIRC you can't use client 
certs with PEAP in windows.

More information about the Freeradius-Users mailing list